With decisions only a button away, the Internet fosters the convenience of immoral actions. Accountability for online actions does practically not exist. This lack of accountability is unprecedented in its severity, despite telecommunication technologies having been available for a hundred years. Ubiquitous encryption schemes facilitate illegal actions underneath the radar of the authorities and challenge their power.
The 21st century villain
The most striking example is SilkRoad, a web shop for the 21st century villain, offering goods from drugs over weapons to contract killing. Modern encryption techniques allowed this network to flourish and keep in operation for almost two years. It could only be shut down due to human failure, that is, a security agent befriending the owner of the platform. Whilst once shady business was made in darkness, everyone could access this platform and make transactions without a realistic fear of consequences. The shutdown of SilkRoad exacerbated criminal activity online, rather than contain it, with numerous replicas emerging. This decentralisation of criminal activity further impedes intelligence efforts. Immoral actions have never been this convenient.
“backdoors in encryption schemes must be rejected”
Whilst encryption enables journalistic work in underdeveloped countries, a general “right to encryption” is difficult to justify in functioning liberal societies. For this reason, the British parliament enacted the Investigatory Powers Act 2016 that specifies “obligations relating to the removal […] of electronic protection applied […] to any communications or data”. Similarly, the Australian parliament passed the “Assistance and Access Act” in December 2018, requiring companies to disclose “encrypted information” following a ministerial decision. Whilst these approaches facilitate intelligence operations online, the price is high. To date, there exist no technical solutions to grant special access to encrypted content only to officials. There probably never will. Governmental backdoors in encryption schemes must therefore be rejected.
Data retention and minimisation
A balanced solution could lie in retaining some information for investigations (data retention), whilst minimising the overall stored information (data minimisation). This principle of data minimisation is a legal requirement under the current EU Data Protection Legislation, the GDPR. It must be adopted and enforced more widely, even in governmental operations. Neither governments nor private entities must be in the position of hoarding data about individuals, to minimise the risks of data breaches and surveillance. This data protection must happen by default, since it is not feasible for the individual to look after every single instance of data collection. Currently, we see a culture of convenience in entities amassing data, often kept without reason.
For example, Facebook retains your whole message history, even from years back. These messages are incredibly revealing and allow Facebook to pinpoint advertising to their users. With high probability, Facebook can identify your race, gender, and sexual orientation. Would you want this information to be shared with unknown parties in a potential data breach, or used by authorities without your knowledge? Facebook and other companies should finally embrace data minimisation and delete all information when not necessarily needed for service fulfilment anymore. Dated data should be deleted automatically after the smallest time span feasible. Of course, the user should be made aware of any data deletion, so that no information gets lost unexpectedly.
On the other hand, the Facebook messaging service offers end-to-end encryption, despite not being enabled by default. If this feature is used, only the recipients can read the message contents, not Facebook. The company knows however who communicates with whom, since the messages are delivered through its servers. Retaining some of this data would not break the underlying encryption schemes and could assist in investigations. It may well be used already these days. In any case, this information must under no circumstances be hoarded by default, and about all users. Instead, data should only be collected to the least extent possible if there is an official order following a restrictive process. At the moment, fear and convenience take precedence over rationale in data collection at the risk of the individual.
These risks are real. Only this week the financial services provider Equifax reached a settlement with the US authorities to pay $800m for their data breach in 2017, exposing sensitive financial data of 150m citizens. Just imagine that this happened to the NSA, holding information about probably any citizen on this planet. Any IT system can be hacked, no matter if private company or governmental agency.
Is Amazon better than SilkRoad?
Another example of the new convenience culture is Amazon. The success of their online marketplace illustrates that even the average citizen does not care about the consequences of online actions. Adding to the generally miserable circumstances of product production, Amazon is known for their poor working conditions. In addition, packaging, delivery, and returns yield considerable environmental costs. Whist not illegal, buying on Amazon adds to the exploitation of labour and environment, often for sheer convenience.
To mitigate the environmental damage, several approaches have been discussed, revolving around either penalising the platform or the customers for their behaviour. Whilst some propose to ban the disposal of returned goods, others want to impose the costs for returns on the customers. All of these approaches are short-sighted. We need solutions that account for environmental costs and ensure fair competition. Time is of the essence, with CO2 levels on the rise.
Lessons learnt
Online services facilitate immoral, if not illegal, actions, and we currently lack the tools to handle them. Technological advances ever more challenge the grasp of the authorities. In the case of encryption schemes, a combination of data retention and data minimisation could offer some relief. On the other hand, the example of Amazon highlights how the Internet abstracts away the consequences of our actions online. We must strive for genuine accountability online.
2 replies on “Culture of convenience: Decisions, a click away”
You wrote
The Investigatory Powers Act, better known as the scooping act is against many principles of liberal democracies. Indeed, mass spying on citizens without a court warrant is entirely contradicting the presumption of innocence, on which our legal system rest. I, also disagree with your claim that “right to encryption”, something that can be paraphrased as “right to privacy” which is a fundamental right in some countries, is indefensible. I think it’s quite the contrary, and it seems to me that further down your article is arguing for it even. For this just think of the scooping act, or read any of the following:
• https://www.thebureauinvestigates.com/stories/2019-07-10/uk-hosts-press-freedom-summit-in-london-while-fighting-for-right-to-spy-on-media
• https://www.csoonline.com/article/2134231/report-accuses-bt-of-supplying-backdoors-for-gchq-and-nsa.html
• https://www.london.gov.uk/questions/2011/3208
• https://www.theguardian.com/media/2019/jul/15/theresa-may-refuses-to-defend-journalists-right-to-publish-leaks
I think you should reconsider why encryption should be a fundamental right in the digital age. Also, here’s a relevant (scifi) film:
• https://www.youtube.com/watch?v=lG7DGMgfOb8
Thank you very much for your insightful comment and the references. It seems to me that we’re on the same page: The Snooping Act goes many steps too far.
In the article, I point out that no right can be absolute, and the right to encryption must be weighted against other rights. There will inevitably be instances, in which encryption facilitates criminal activity. So, naturally one has to debate how to cope with this. The current debate centres around the extremes, either mass-scale surveillance or an absolute right to encryption. I wrote the article to mediate between these two extremes and stay realistic.
You mention an interesting point in referring to the right to privacy, which is closely intertwined with a right to encryption, but can certainly not be paraphrased as another. The right to privacy exists in the offline world, the right to encryption does not. I do strongly believe that privacy must be protected online as offline, for which data minimisation is a powerful tool to limit the attack surface.